If your organization approaches compliance with an annual scramble mindset, you’re asking for trouble. Depending on what standards your organization is subject to, there are elements of compliance that should be done daily, weekly, monthly, quarterly, semi-annually AND annually—and auditors can tell when you haven’t been on top of things.
Many companies just don’t care about maintaining their compliance and being secure. Sadly, they’re just looking to check the boxes and move on. Other organizations really do care about security and compliance standards, but they have a hard time staying on top of their periodic tasks. This is especially difficult if you’re using a directional standard like HIPAA.
The Problem with Directional Standards
HIPAA was written for a broad audience, so it’s very directional but it’s not very prescriptive. It lays out the ends but not the means. For example, you need to make sure you have secure authentication. But PCI prescribes how to do that—everyone needs their own username and their own password, which needs to be a certain length and have certain complexity requirements. Prescriptive standards like PCI set requirements for the means as well as the ends.
If you’re following a directional standard, you have to figure out on your own how you’re going to do the implementation. There are no built-in tasks or accountability to keep you on track. That latitude can make it difficult to figure out how to get from point A to point Z. Worse yet, you may mistakenly believe you’re implementing best practices, to your detriment.
It’s like trying to drive from Baltimore to Dallas without a map or directions—you know the general direction, and you’ll know it when you arrive, but you’re guaranteed to make some wrong turns along the way and backtrack several times. Your trip will take a lot longer, and you’ll probably get frustrated with the people in your vehicle.
Handpicked related content: Want Easier Compliance? Create a Culture of Compliance
PCI Can Fix HIPAA Hassles
If you’re using a directional standard like HIPAA, it’s up to you to stay on top of your compliance activities throughout the year. You need to figure out for yourself how you’re going to manage compliance.
That can be a pretty daunting responsibility. To make things a bit more manageable, we often recommend that organizations get certified for a more prescriptive standard like PCI, even if they don’t need to. PCI provides built-in accountability for periodic tasks, so it’s always clear what you need to do, how you need to do it, and when. And by meeting PCI’s prescriptive requirements, you will also typically dwarf the technical requirements of your directional standard as well.
PCI prescribes specific tasks that need to be done daily, weekly, monthly, quarterly, semi-annually and annually. For example, one daily task in PCI is to perform a daily log review. A weekly PCI task is to do file integrity monitoring. These tasks keep you on-track throughout the year by providing accountability that HIPAA doesn’t prescribe to the target organization.
Automated Accountability Makes Compliance Easier
TCT Portal’s Operational Compliance mode was developed because we would often see companies forget to do several requirements during the year. This puts your organization at risk of being non-compliant and it raises your auditor’s suspicions.
The Operational Compliance mode provides automated prompting to the assigned personnel on a quarterly basis to help your team stay on top of periodic tasks. It helps you to proactively confirm that the periodic tasks of your organization are being done throughout the annual cycle—not as you prepare for the auditor’s visit. It provides peace of mind that you’re staying on track, and helping to keep your company secure at the same time!
Handpicked related content: 5 Things to Make This Year’s Audit Painless
TCT Portal gives anyone in your organization the ability to go in anytime and see the current state of your compliance, since it’s real-time information. It provides confirmation throughout the year that you’re staying on track and doing what you’re supposed to be doing.
It’s a whole lot easier for your consultant or internal auditor to make early corrections throughout the year than for the auditor to catch glaring issues during the annual audit. Instead, your auditor will see that you’re being proactive and making corrections as you go—and that’s what they love to see.
Find out how TCT Portal can make a difference for your company—get your personalized demo.